The malware wars: How you can fight it

A tip-filled conversation with Andrew Brandt, director of threat research at Solera Networks, reveals some of the ways hackers sneak malware into PCs.

Malware most often embeds itself with our unwitting help, but even when we have our defenses fully up, malware can still climb aboard. Nevertheless, there are practical and effective ways to defeat it — or clean it out after the fact.

Malware detection and decryption is my business

I met with Brandt at the annual February RSA security conference in San Francisco, Calif. We sat down to talk about the current state of malware and online security.

“Bring it on!” is Brandt’s mantra on malware. That’s because his job is letting malware run on his systems — on purpose. Using Windows XP, Vista, Windows 7, and Windows 8 test machines, he regularly browses sites known to harbor malicious content. But his unprotected systems (sometimes referred to as honey pots) often get malware infections all on their own.

The viruses, Trojans, etc. deposited daily on his computers are fodder for his primary work: reverse-engineering malware so he can understand how the latest exploits work — and how to prevent malware from intruding again. “Unfortunately,” says Brandt, “the goal posts are constantly changing with each malware sample. By design, more-sophisticated malware scripts change every time they run; they effectively create a custom version and, in doing so, change their identity every time they run. That constant change defeats much of the security software in use, which is looking for some previous design [or signature].”

Does that mean installing and using AV software is futile? “No,” says Brandt, “any amount of protection certainly helps. Some security software is better than others at finding and quarantining infections, but no single product can detect everything that’s out there, especially when it changes by the minute — not by the day, by the minute!“

As Brandt explains, AV programs need to cross-check each instance of a malware attack against a constantly updated database. But a database containing every version of malware is infeasible; it gets too large to be of practical use. Hacking codes often change their signature by as little as one byte — which might be enough to defeat signature-matching. Moreover, well-written (for want of a better term) malware uses obfuscation techniques to hide itself within a PC. “So an infection can be found only after the damage is done.” Brandt notes, “Of course, then it’s too late.”

To prevent infections, says Brandt, “You’ve got to embrace [anti-malware] deficiencies and take more personal responsibility. Most people tend to click before they think, and sites like Facebook have made matters worse. We click a link simply because it came from a social-network friend. At this point in the malware wars, you need to put a critical eye on any link — no matter how trusted the source. Your Facebook or email friend might have been fooled, and the link they sent you goes to a site that automatically loads its exploit.”

Social-engineering threats are rapidly growing, courtesy of the security vulnerabilities of sites that regularly use abbreviated URLs. Anyone who’s read Twitter or Facebook posts is familiar with cryptic URLs such as bitly, tinyurl, and snipurl. Because they’re shortened to seemingly random letters, numbers, and characters, you don’t know where they’re actually taking you. But all too often, we click them anyway.

Tip: You can preview shortened URLs to see their true destination. For example, with bitly addresses, simply paste them into your browser, add a + after the URL (for example, //bitly.com/13LRaF4+ [Solera Networks page]), and press Enter. Adding the plus sign takes you to the bitly site first, where you’ll see a stats page for the destination site.

For tinyurl addresses, add “preview” before the address. For example, enter //preview.tinyurl.com/{xxxxx}, and the uncloaked address will appear at the tinyurl site.

For snipurl addresses, add “peek” before the shortened address. For example, //peek.snipurl.com/26kl5qy takes you to the Snipurl site and displays the full URL:

For any link — short or long — in a webpage, hover your cursor over the link and the true, full address should appear at the bottom of the browser window. Say, for example, you get an email from PayPal with what looks superficially like a legitimate link. But if the true link is something like //X5932OwzBulgaria45634.cn or //paypal.gotcha.co.ru, it could well lead to getting hacked or phished.

Figure 1. Fake PayPal notification

The ingredients of a malicious hack recipe

From his years of observing malware, Brandt believes that “the number one delivery method of a hack is a ZIP file. It might be disguised as a link or email attachment, but when opened, it will automatically unzip and execute the exploit that lodges malicious code in your computer.” Zipping the malware also hides its signature executable file, thus preventing its detection by AV software.

Other popular methods for delivering malware include PDFs, EXE files, and links that take you to intermediate sites that then immediately forward you to compromised sites. So again, it’s important to preview the address of a link. Some poorly written ones will actually show an executable file at the end — //dangerousmalware.com/569dk.exe, for example.

According to Brandt, if you know where a malware file resides on your computer, you might be able to manually remove it. But then you have to know exactly what you’re looking for. “From my research, I’ve noticed that these files are usually deposited in temp-file locations. They show up as .exe or .dll files.” You don’t normally find executable files in a temp-file folder.

“If you are still using XP, I’d advise upgrading to Win7 or Win8 as soon as possible — XP is wide open to malware intrusions. Vista and Windows 7 [mostly] fixed this open door with the User Account Control; it pops up every time there is an attempt to make changes to your system, legitimate or not (such as when a new app tries to install). Most people just click Okay and continue, but this is one point when there’s a chance of stopping an infection from entering.”

Caught red-handed: A conversation with a hacker

The malware-monitoring systems in Brandt’s lab see constant activity from online. “One time, I was tending to one PC and, when I turned away from it momentarily, I noticed an open chat window on another machine. A message in the chat screen stated, ‘Yo, bro, you caught me.’ I responded back with an ‘LOL.'” Using malware installed on the XP system, a hacker was creating a text-based report of every open window’s titlebar and sending it to an address in Tunisia.

“I created a text file on my desktop that said, ‘Hey, come back.’ He did. In a series of chat sessions, he told me his story: He ran a network business in Tunisia but, because of the revolution there, business was slow. So to earn money to take care of his family, he was creating botnets to take over computers around the world. He used the botnets to harvest passwords, credit card numbers, and other personal data that he could then sell to other hackers.” (A lot of malware guys get cocky and start communicating with security analysts directly, in a sort of catch-me-if-you-can game.)

“There are open, online markets where malware exploit codes are available free or for sale. The Tunisian hacker would get them as soon as they were made available and use them. He also used free (and perfectly legitimate) remote-control software — TeamViewer (site ) — to take over computers. It would send back screen shots from infected PCs to him every 30 seconds.”

Today, says Brandt, most of the malicious code comes from Russia and other East European countries and from China. Much of it is implemented lazily, so it conforms to known patterns which many email clients recognize and immediately send to spam folders. But some of it does get through. Unfortunately, many of these guys are one step ahead of the analysts.”

Brandt’s Tunisian chat-pal hacker was apparently close to getting caught but shut down his operation in the nick of time. After that he was more particular about his exploits.

When asked the top three ways to deter malware on a PC, Brandt’s suggestions are ones we should all know — and follow — by now.

Stop using Windows XP.

Install and keep updated security software such as the free AVG (site) and Malwarebytes (site).

Most important: Think before clicking any link and whenever Windows unexpectedly asks whether you want to proceed with a change to your PC settings.

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.